Developing Multilevel Security (MLS) Framework

This is the third article in a series designed to address the needs of government and business or collaborative and secure information sharing within a Multilevel Security (MLS) framework.

A workable Multilevel Security framework it would need to support:
• a highly collaborative mission critical environment
• multilevel classified data shared efficiently between individuals with various clearance levels
• secure vetting of end user identification, applications, workstations, compute facilities, and network and storage infrastructure.

The good news is that major components of the MLS framework have been initiated; they just have not been integrated into a scale-out solution – until now.

At the highest policy level, the US government over the last ten years has created a more holistic, standards based, agile information sharing security framework that is focused on results-driven decision making. This is documented in Intelligence Community Directive (ICD) 503. This framework balances risks to support the need for collaborative and secure information sharing. However, the primary emphasis is on achieving mission results and success.

What It Takes To Be Secure

Download the Multilevel Security White Paper from the Editors of insideHPC

Download the Multilevel Security White Paper from the Editors of insideHPC

Implementing a framework may seem straightforward, but in practice most solutions to date have tended to be extremely complicated, costly, and difficult to use. At its most basic level, a system solution must take the following actions to ensure data security:

• Assign security clearance levels to individuals who are officially granted access to specific sets of classified data on the basis of need to know.
• Label data with appropriate classification levels.
• Prevent data labeled with higher classifications from being read by users with lower clearance levels.
• Prevent users with higher clearance levels from being able to write to files with lower data classification or reclassifying data without proper authorization.
• Segregate users and data access according to clearance and classification level.

The Defense and Intelligence Communities have additional stringent security requirements for systems providing Multilevel Security access:

• Mandatory Access Controls to strictly enforce user and subject access.
• Unique and traceable user identification.
• Audit trails that record all actions, and tools to analyze patterns.
• Security labeling that reflects data sensitivity and user access.
• Notification and enforcement of user session auditing (log on, log out, time outs, retries, etc.).

Implementing these policies protects systems and infrastructure against threats from within as well as from outside.

While Intelligence Community Directive (ICD) 503 policies have been in place for several years, and lower level secure collaborative information sharing procedures and guidelines have been available for well over ten years, most agencies and facilities still separate data with different security classifications into isolated standalone compute and storage systems.

This is due to the last remaining and missing primary component, a scale-out secure storage system, designed to keep sensitive data secure while efficiently meeting the needs of Big Data and HPC scale environments. While small systems existed to provide MLS abilities for individual systems or local storage, no readily available technologies existed that could provide the scalable storage and performance needed to consolidate multiple isolated systems into a single environment.

The next article in this series looks at key breakthroughs in secure scale-out storage for the Defense and Intelligence Communities, as well as businesses, that enable automated, streamlined, and pervasive adoption of MLS. Can’t wait for next week’s article…download the entire article series in PDF format from the insideHPC White Paper Library courtesy of Seagate.

Comments

  1. Great and very topical report. FYI, Lockheed Martin has implemented MLS via a Red Hat SELinux / Altair PBS integration — here’s the case study: http://www.pbsworks.com/lockheed_martin

  2. The good news is that major components of the MLS framework have been initiated; they just have not been integrated into a scale-out solution – until now.